Add libaudit support

Bug #1478087 reported by bugproxy on 2015-07-24
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Medium
Unassigned
1.10
Medium
Unassigned
1.14
Medium
Unassigned
1.16
Medium
Unassigned
1.2
Medium
Unassigned
lightdm (Ubuntu)
Medium
Unassigned
Trusty
Medium
Unassigned
Vivid
Medium
Unassigned
Wily
Medium
Unassigned
openssh (Debian)
Fix Released
Unknown
openssh (Ubuntu)
Medium
Unassigned
Trusty
Medium
Mathieu Trudel-Lapierre
Vivid
Low
Unassigned
Wily
Medium
Unassigned
shadow (Ubuntu)
Medium
Unassigned
Trusty
Medium
Mathieu Trudel-Lapierre
Vivid
Low
Unassigned
Wily
Medium
Unassigned

Bug Description

[Impact]
Auditing support is a commonly used feature in large enterprises, and allows better tracking of actions happening on secured systems, especially when it comes to accounting for login events.

Such systems fail to correctly list login events in aureport due to some software not integrating libaudit.

[Test Case]
1) Install auditd
2) Login to the system multiple times (or allow for others to connect to the system)
3) Run aureport -l

System should list login information.

[Regression Potential]
There is minimal risk for issues since libaudit support only allows for generating extra logging saved on the local system. A possible side-effect of this may be that systems on which auditing is enabled and where there are many users of the affected software (see bug tasks), such as many logins over SSH, there may be an increased demand on disk space necessary for the auditing data.

---

-- Problem Description --
We installed ubuntu 14.04.3 on lakelp1 and installed package auditd. We tried to
ssh to lakelp1 several times and found that "aureport -l" couldn't print out the login
info.

root@lakelp1:~# /etc/init.d/auditd status
 * auditd is running.

root@lakelp1:~# auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=38784 rate_limit=0 backlog_limit=320 lost=12 backlog=1

root@lakelp1:~# grep -i login /var/log/audit/audit.log
type=LOGIN msg=audit(1437641256.987:67): pid=11752 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=4 res=1
type=LOGIN msg=audit(1437642646.478:85): pid=44269 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=5 res=1
type=LOGIN msg=audit(1437642700.295:90): pid=21504 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=6 res=1
type=LOGIN msg=audit(1437642765.339:104): pid=16628 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1
type=LOGIN msg=audit(1437644638.593:130): pid=44443 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=8 res=1

root@lakelp1:~# aureport -l

Login Report
============================================
# date time auid host term exe success event
============================================
<no events of interest were found>

This looks like a bug in aureport or libaudit. In addition to giving admins falsely empty record selections, this would prevent successful completion of a Common Criteria certification.

Related branches

bugproxy (bugproxy) on 2015-07-24
tags: added: architecture-ppc64le bugnameltc-127965 severity-critical targetmilestone-inin---
Luciano Chavez (lnx1138) on 2015-07-24
affects: ubuntu → audit (Ubuntu)
Changed in audit (Ubuntu):
assignee: nobody → Taco Screen team (taco-screen-team)
bugproxy (bugproxy) on 2015-07-24
tags: added: targetmilestone-inin14043
removed: targetmilestone-inin---

------- Comment From <email address hidden> 2015-07-28 21:47 EDT-------
Looks like LOGIN records are also omitted from ausearch (try ausearch -i). That seems to point to a libaudit issue.

Another strange thing is if it try to ltrace aureport or ausearch, it fails with a sigsegv.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2015-07-29 14:29 EDT-------
This is not critical to have in 14.04.3 release for 8/06. However, it should go into service stream and must be in 16.04. According to George, it is a security issue in that it will falsely show that no logins took place when the admin specifically looks for them. It could cause an audit noncompliance for a variety of hardening standards (Common Criteria)

bugproxy (bugproxy) on 2015-08-03
tags: added: severity-high targetmilestone-inin1510
removed: severity-critical targetmilestone-inin14043

The bug is not in aureport or libaudit. aureport looks for AUDIT_USER_LOGIN events in the audit log but we're not generating them in login programs due to libaudit support not being enabled at build time or, in the case of lightdm, missing libaudit support.

Note that we are generating an AUDIT_LOGIN event from the kernel upon login but aureport and friends are looking for AUDIT_USER_LOGIN events from userspace.

This will require changes to a several packages. So far, I've been able to determine that openssh needs to be built with --enable-audit=linux and lightdm needs to be patched to generate AUDIT_USER_LOGIN events. The lightdm pam configs may also need updating for calling out to pam_loginuid.so but I'm not sure if that's required at this point.

The shadow package was recently modified to enable libaudit support (https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1.1ubuntu5) so that change will need to be SRU'ed.

The util-linux source package can generate AUDIT_USER_INFO events from its login program but we're using the login program from the shadow source package. After looking at the util-linux source, I don't see a reason to build it against libaudit at this time.

Tyler Hicks (tyhicks) wrote :

I've created an upstream lightdm merge request to add login and logout auditing support:

  https://code.launchpad.net/~tyhicks/lightdm/auditing/+merge/269828

I've also submitted the (simple) changes needed in the openssh package to Debian since Colin keeps the Debian and Ubuntu openssh package in sync:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797727

Tyler Hicks (tyhicks) on 2015-09-11
no longer affects: audit (Ubuntu Trusty)
no longer affects: audit (Ubuntu Vivid)
no longer affects: audit (Ubuntu Wily)
Changed in audit (Ubuntu):
status: New → Invalid
Changed in lightdm (Ubuntu Wily):
status: New → Triaged
Changed in lightdm (Ubuntu Vivid):
status: New → Triaged
Changed in lightdm (Ubuntu Trusty):
status: New → Triaged
Changed in openssh (Ubuntu Trusty):
status: New → Triaged
Changed in openssh (Ubuntu Vivid):
status: New → Triaged
Changed in openssh (Ubuntu Wily):
status: New → Triaged
Changed in shadow (Ubuntu Wily):
status: New → Fix Released
Changed in shadow (Ubuntu Vivid):
status: New → Triaged
Changed in shadow (Ubuntu Trusty):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.9p1-2

---------------
openssh (1:6.9p1-2) unstable; urgency=medium

  [ Colin Watson ]
  * mention-ssh-keygen-on-keychange.patch: Move example ssh-keygen
    invocation onto a separate line to make it easier to copy and paste
    (LP: #1491532).

  [ Tyler Hicks ]
  * Build with audit support on Linux (closes: #797727, LP: #1478087).

 -- Colin Watson <email address hidden> Thu, 10 Sep 2015 12:26:11 +0100

Changed in openssh (Ubuntu Wily):
status: Triaged → Fix Released
Changed in lightdm:
importance: Undecided → Medium
status: New → Fix Committed
milestone: none → 1.17.0
Changed in lightdm (Ubuntu Trusty):
importance: Undecided → Medium
Changed in lightdm (Ubuntu Vivid):
importance: Undecided → Medium
Changed in lightdm (Ubuntu Wily):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.16.2-0ubuntu1

---------------
lightdm (1.16.2-0ubuntu1) wily; urgency=medium

  * New upstream release:
    - Fix compile failing without libinput

 -- Robert Ancell <email address hidden> Wed, 16 Sep 2015 14:20:11 -0400

Changed in lightdm (Ubuntu Wily):
status: Triaged → Fix Released
summary: - ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3
+ Add libaudit support
Steve Langasek (vorlon) on 2015-10-16
Changed in audit (Ubuntu):
assignee: Taco Screen team (taco-screen-team) → nobody
bugproxy (bugproxy) on 2015-10-19
tags: added: severity-medium
removed: severity-high
Changed in lightdm:
status: Fix Committed → Fix Released

------- Comment From <email address hidden> 2015-11-16 18:17 EDT-------
Because this is a security, we request this fix be included in 14.04 SRU please.

Steve Langasek (vorlon) on 2016-01-13
Changed in openssh (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in shadow (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
description: updated
Michael Hohnbaum (hohnbaum) wrote :

Mathieu, any outlook for this SRU?

Hello bugproxy, or anyone else affected,

Accepted shadow into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1ubuntu9.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shadow (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed
Steve Langasek (vorlon) wrote :

Hello bugproxy, or anyone else affected,

Accepted openssh into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssh (Ubuntu Trusty):
status: Triaged → Fix Committed

------- Comment From <email address hidden> 2016-01-31 23:04 EDT-------
Verified on Ubuntu14.04.4, this bug is not fixed.

root@monklp1:~# /etc/init.d/auditd status
* auditd is running.

root@monklp1:~# auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=9417 rate_limit=0 backlog_limit=320 lost=2 backlog=0

root@monklp1:~# grep -i login /var/log/audit/audit.log
type=LOGIN msg=audit(1454295455.634:27): pid=9439 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=1 res=1
type=LOGIN msg=audit(1454295480.786:35): pid=9471 uid=0 old-auid=4294967295 auid=1000 old-ses=4294967295 ses=2 res=1
type=LOGIN msg=audit(1454295524.534:43): pid=9508 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=3 res=1

root@monklp1:~# aureport -l

Login Report
============================================
# date time auid host term exe success event
============================================
<no events of interest were found>

root@monklp1:~# uname -a
Linux monklp1 4.2.0-25-generic #30~14.04.1-Ubuntu SMP Mon Jan 18 16:25:16 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux

root@monklp1:~# dpkg -s auditd
Package: auditd
Status: install ok installed
Priority: extra
Section: admin
Installed-Size: 713
Maintainer: Ubuntu Developers <email address hidden>
Architecture: ppc64el
Source: audit
Version: 1:2.3.2-2ubuntu1
Depends: lsb-base (>= 3.0-6), init-system-helpers (>= 1.13~), libaudit1 (>= 1:2.2.1), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
Suggests: audispd-plugins

Breno Leitão (breno-leitao) wrote :

Changing the tag 'verification-needed' to 'verification-failed' considering the last comment on the last 14.04 packages.

tags: added: verification-failed
removed: verification-needed
no longer affects: audit (Ubuntu)
Changed in openssh (Ubuntu):
importance: Undecided → Medium
Changed in shadow (Ubuntu):
importance: Undecided → Medium
Changed in openssh (Ubuntu Trusty):
importance: Undecided → Medium
Changed in openssh (Ubuntu Vivid):
importance: Undecided → Low
Changed in openssh (Ubuntu Wily):
importance: Undecided → Medium
Changed in shadow (Ubuntu Trusty):
importance: Undecided → Medium
Changed in shadow (Ubuntu Wily):
importance: Undecided → Medium
Changed in shadow (Ubuntu Vivid):
importance: Undecided → Low

I'd like to re-validate this for myself before we mark it verification-failed. There really shouldn't be much more than building shadow and openssh with audit support for this to work, so let's take another look.

Marking back to verification-needed.

tags: added: verification-needed
removed: verification-failed
Changed in openssh (Debian):
status: Unknown → Fix Released

Verified for shadow: login correctly reports logins.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-02-02 17:56 EDT-------
Thanks to Tyler and the Canonical crew!

Verified for openssh as well; it now correctly shows entries in aureport -l too.

Attached is a transcript from the two sessions testing shadow and openssh for audit support.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.1.5.1-1ubuntu9.2

---------------
shadow (1:4.1.5.1-1ubuntu9.2) trusty; urgency=medium

  * debian/control, debian/rules: re-enable libaudit support. (LP: #1478087)

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 22 Jan 2016 11:21:57 -0500

Changed in shadow (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for shadow has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2.6

---------------
openssh (1:6.6p1-2ubuntu2.6) trusty; urgency=medium

  * debian/control, debian/rules: enable libaudit support. (LP: #1478087)

openssh (1:6.6p1-2ubuntu2.5) trusty-proposed; urgency=medium

  * Backport upstream reporting of max auth attempts, so that fail2bail
    and similar tools can learn the IP address of brute forcers.
    (LP: #1534340)
    - debian/patches/report-max-auth.patch

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Jan 2016 10:38:35 -0500

Changed in openssh (Ubuntu Trusty):
status: Fix Committed → Fix Released

Setting the Vivid tasks to Won't Fix since it's been EOL for a little while.

Changed in shadow (Ubuntu Vivid):
status: Triaged → Won't Fix
Changed in openssh (Ubuntu Vivid):
status: Triaged → Won't Fix
Changed in lightdm (Ubuntu Vivid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.